Page Comparison

WSO2 EMM Agent configurations to enroll and manage devices

...

1. Open the carbon.xml file that is in the <EMM_HOME>/repository/conf directory.

2. Uncomment the HostName attribute and provide the server IP.
   Default: 

   Code Block
   <!--HostName>www.wso2.org</HostName-->

   An example after of the configuration:

   Code Block
   <HostName>10.100.7.35</HostName>

3. Uncomment the MgtHostName attribute and provide the server IP.
   Default: 

   Code Block
   <!--MgtHostName>mgt.wso2.org</MgtHostName-->

   An example after of the configuration:

   Code Block
   <MgtHostName>10.100.7.35</MgtHostName>

4. Comment the uncommented ServerURL and uncomment the ServerURL attribute that was commented by default.
   Configure the uncommented ServerURL as follows:
   
   1. Provide localhost as the value for {carbon.local.ip}.
   2. Provide the https port as the value for {carbon.management.port}.
      By default, the port is 9443.
   3. Remove ${carbon.context}.

   By default:

   Code Block
   <ServerURL>local:/${carbon.context}/services/</ServerURL> <!-- <ServerURL>https://${carbon.local.ip}:${carbon.management.port}${carbon.context}/services/</ServerURL> -->

   An example after of the configuration:

   Code Block
   <!--ServerURL>local:/${carbon.context}/services/</ServerURL--> <ServerURL>https://localhost:9443/services/</ServerURL>

5. Restart the WSO2 EMM server.

6. Login to the WSO2 App Manager publisher to publish application or WSO2 App Manager store to install apps on mobile devices.

   Info
   Access the WSO2 App Manager publisher: http://localhost:9763/publisher https://localhost:9443/publisher Access WSO2 App Manager store http://localhost:9763/store/ https://localhost:9443/store

...

1. Enable SSO in the following configuration files, under the ssoConfiguration section:

   • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

   • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.

   • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory.

     Code Block
     "enabled" : true,

2. Configure the Identity Provider (IdP) in the following configuration files, under the ssoConfiguration section:

   Tip
   For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.

   • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

   • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.

   • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory. 

   Localtabgroup

   Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks" Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks" Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"

   Expand
   title Click here for IdP related property definitions.
   The IdP related property definitions are as follows: IdentityProviderURL - Provide the URL that defines where the user should navigate when signing in. keyStorePassword - Provide the Key Store password. identityAlias - Provide the Key Store identity alias or username. keyStoreName - Provide the Identity Providers (e.g., WSO2 IS) public key value. Info The keyStorePassword and identityAlias are defined under <KeyStore> in the carbon.xml file, which is in the <EMM_HOME>/repository/conf directory. Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> storeAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Store. publisherAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.

   Note

   By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the host/ip to the Server IP. If you wish to use your own IdP, modify the host/ip to your own IdP's host in the following files: Localtabgroup Localtab active true title config.json Update the config.json  file, which is in the  <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config  directory. Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", Localtab title store.json Update the store.json  file, which is in the  <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config  directory. Code Block "identityProviderURL": "%https.host%/samlsso", Localtab title publisher.json Update the publisher.json  file, which is in the  <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config  directory. Code Block "identityProviderURL": "%https.host%/samlsso",

3. Update the SSO related IDP configurations in the sso-idp-config.xml  file, which is in the  <EMM_HOME>/repository/conf/identity  directory, by updating all the entries that state localhost to your IDP's IP address or domain.

   Code Block

   <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <Recipient>https://localhost:9443/oauth2/token</Recipient> </RecipientList> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/store/login.jag</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>social</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>publisher</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage> </ServiceProvider>

4. Enable authentication session persistence by uncommenting the following configuration in the <EMM_HOME>/repository/conf/identity.xml file, under the the  Server and JDBCPersistenceManager elements.

   Code Block
   <SessionDataPersist> <Enable>true</Enable> <RememberMePeriod>20160</RememberMePeriod> <CleanUp> <Enable>true</Enable> <Period>1440</Period> <TimeOut>20160</TimeOut> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>

   Expand
   title Click here for more information on the configurations.
   Configuration element Description Enable This enables the persistence of session data. Therefore, this must be configured to true if you wish to enable session persistence. RememberMePeriod This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks. CleanUp This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the Period tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in the TimeOut tag.  Enable Selecting true here enables the cleanup task and ensures that it starts running. Period This is the time period (in minutes) that the cleanup task would run. The default value is 1 day. TimeOut This is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks. Temporary Setting this to true enables persistence of temporary caches that are created within an authentication request.

...

The WSO2 EMM administrators can monitor devices by accessing the portal dashboard. Before accessing the dashboard you need to do configure the dashboard server to communicate with external OAUTH protected APIs that will be accessed by its gadgets.

1. Configure <ServerRoles> that is in the <EMM_HOME>/repository/conf/carbon.xml file by adding the CDMFPlatform role.

   Code Block
   <ServerRoles> <Role>EMMPlatform</Role> <Role>CDMFPlatform</Role> </ServerRoles>

2. Configure the designer.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/portal/configs directory as follows:

   1. If you have enabled SSO for WSO2 EMM, you need to define sso as the value for activeMethod under authorization else, you can define the activeMethod as basic.

      Info
      For more information on enabling sso, see the WSO2 Dashboard Server documentation on Enabling SSO in WSO2 DS.

      Example:

      Localtabgroup

      Localtab title Enabling SSO authentication Configure the following fields: Configure responseSigningEnabled as true. Set the Assertion Consumer (ACS) URL as https://<JAGGERY_APP_HOST>:<JAGGERY_APP_PORT>/portal/acs. In WSO2 EMM the jaggery portal application is available in the product itself. Therefore, you can configure the <JAGGERY_APP_HOST> as localhost and <JAGGERY_APP_PORT> as 9443 if you have not port offset WSO2 EMM. Example: Code Block "authentication":{ "activeMethod":"sso", "methods":{ "sso":{ "attributes":{ "issuer":"portal", "identityProviderURL":"https://localhost:9443/samlsso", "responseSigningEnabled":"true", "acs":"https://localhost:9443/portal/acs", "identityAlias":"wso2carbon", "useTenantKey":false } }, "basic":{ "attributes":{ } } } } Localtab title Enabling basic authentication Code Block "authentication":{ "activeMethod":"basic", "methods":{ "sso":{ "attributes":{ "issuer":"portal", "identityProviderURL":"https://localhost:9443/samlsso", "responseSigningEnabled":"false", "acs":"https://localhost:9444/portal/acs", "identityAlias":"wso2carbon", "useTenantKey":false } }, "basic":{ "attributes":{ } } } }

   2. Configure the authorization attributes.

      Code Block

      "authorization":{ "activeMethod":"oauth", "methods":{ "oauth":{ "attributes":{ "idPServer":"%https.ip%/oauth2/token", "dynamicClientProperties":{ "callbackUrl":"%https.ip%/portal", "clientName":"portal", "owner":"admin", "applicationType":"JaggeryApp", "grantType":"password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer", "saasApp":false, "dynamicClientRegistrationEndPoint":"%https.ip%/dynamic-client-web/register/", "tokenScope":"Production" } } } } }

      Property	Description		Data Type	Example
      activeMethod	Define the method that needs to be made active from the available authorization methods. In this case you need to define the active mode as OAuth.	Yes	String	OAuth
      idPServer	Define the Identity Provider URL by replacing %https.ip% with https://<EMM_HOST>:<EMM_PORT>. Info The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.	Yes	String	localhost:9443/oauth2 /token
      callbackURL	Define the call back callback URL by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>. Info The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.	Yes	String	https.ip%/portal
      clientName	Define the OAuth application name.	Yes	String	portal
      owner	Define the username of the owner of the application. In this use case it is the administrator.	Yes	String	admin
      applicationType	The default application type is a jaggery application. If you wish to change it, you need to update this field with the respective application type.	Yes	String	JaggeryApp
      grantType	In this use case, out of the six OAuth 2.0 grant types WSO2 EMM uses the password refresh_token and the saml2-bearer grant types. You can add more grant types as space separated values. If you configured WSO2 EMM for SSO authentication, the saml2-bearer grant type will be used and if you configured WSO2 EMM for basic authentication, the password refresh_token grant type will be used.	Yes	String	password
      saasApp	Define if this application is a Software as a Service (SaaS) application or not, by defining true or false as the respective values.	Yes	Boolean	false
      dynamicClientRegistrationEndPoint	Define the dynamic client registration endpoint by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>. Info The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.	Yes	String	%https.ip%/dynamic-client -web/register/
      tokenScope	Define the scope of the issued access token. It is used to limit the authorization granted to the client by the resource owner.	Yes	String	Production

3. Optionally, if you configured the authentication method as sso, you need to register the portal application as a service provider. Fore more information, see the WSO2 Dashboard Server documentation on configuring SSO in DS.